A new report recently issued reveals that an incredible 95 percent of enterprise SAP installations
contain highly critical security vulnerabilities that could allow systems to be hijacked, researchers
have found.

To be sure, Onapsis chief executive Mariano Nunez says the 250,000 SAP customers are exposed for an
average of 1 1/2 year from when vulnerabilities surface, with SAP taking some twelve months to
develop security patches.

"The really big surprise is that SAP cyber security is falling through the cracks at most companies
due to a responsibility gap between the SAP operations team and the IT security team,” Nunez says.

"The truth of the matter is that most patches applied are either not security-related, are late or introduce
further security risks," he added.

The Boston research consultancy found that in 2014, SAP delivered about 391 security patches of which
half were labelled high priority.

Nunez lay blame in part on SAP's 'HANA System' which he says is responsible for a whopping 450 percent
increase in the number of security issues.

"This new trend is not only continuing, but exacerbating with SAP HANA-- positioned in the center
of the SAP ecosystem where data stored in SAP platforms now must be protected both in the cloud and
on-premise,” Nunez says.

The worst security vulnerabilities topped 9.5 out of a severity rating of 10 for four holes
in SAP SQL Anywhere, followed by no less than eighteen holes rated 7.5 for Sybase ESP.

"We are not only speaking about the number of security vulnerabilities here, which is quite large,
but also the criticality of these various issues," said ERPS-Can founder Alexander Polyakov.

Polyakov says SAP's closed customer-only support portal shows some 388 small patches dubbed 'security
notes' released last year, up 7 percent since 2013.

"To be sure, SAP Security notes are actually small patches that usually close one or more security
vulnerabilities in SAP applications found by third party companies and SAP's internal security team,"
he says.

In fact, the situation is probably substantially worse than this, according to Polyakov, considering
the likelihood of several bugs introduced into custom SAP installations.

"If experienced SAP developers can still leave mistakes in their code, imagine what is happening with
customized SAP programs, especially those outsourced to other companies. High competition between outsourcing
companies drives them to minimise development time and resources, which usually impacts security," he added.

Polyakov has published a few whitepapers detailing common SAP security vulnerabilities, penetration
testing guidelines, and their recommended defenses.